Wliat is claimed is: 



1. A method of establishing a security policy for a 
predetermined organization, the method comprising: 
5 a draft preparation step of preparing a security policy 

draft; 

an analysis step of examining a difference between the 
security policy draft and realities of the organization; and 
an adjustment step of adjusting the security policy draft 
0 on the basis of the difference or adjusting operation rules of 
an actual information system belonging to the organization on 
the basis of the difference. 

2 . The method of establishing a security policy according 
to claim 1, wherein the draft preparation step comprises: 

5 a preparation step of preparing inquiries to be siobmitted 

to members of an organization; 

an inquiry step of submitting the prepared inquiries to 
the members; 

an answer acquisition step of acquiring from the members 
0 answers to the inquiries; and 

a drafting step of preparing a security policy draft on 
the basis of the answers. 

3 . The method of establishing a security policy according 
to claim 2, wherein the preparation step involves preparation 

5 of inquiries on the basis of job specifications of members to 
be inquired. 

4 . The method of establishing a security policy according 
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to claim 2 , wherein the answer acquisition step includes at least 
one of the steps of; 

integrating the answers acquired from a single member from 
among the acquired answers and storing the integrated answers 
into storage means as answers of a single member to be inquired; 

re -submitting inquiries to members if contradictory 
answers are included in the answers, to thereby resolve 
contradiction, and storing the answers into the storage means; 
and 

assigning weights to answers according to job 
specifications of the members to be inquired if contradictory 
answers are included in the answers, to thereby estimate answers 
and show the estimated answers. 

5 . The method of establishing a security policy according 
to claim 2, wherein the analysis step comprises at least one 
of: 

a contradiction inspection step of inspecting whether or 
not contradictory answers are included in the answers; 

a first difference detection step of inspecting a 
difference between an information system virtually designed on 
the basis of the answers and the security policy, by means of 
comparison; and 

a second difference detection step of verifying the 
virtually- designed information system by means of examination 
of a real information system and inspecting a difference between 
the verified information system and the security policy draft 
by means of comparison. 
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6 . The method of establishing a security policy according 
to claim 5, further comprising a measurement step of devising 
measures addressing the inspected difference in conjunction with 
the priority of the measures. 

7 . The method of establishing a security policy according 
to claim 1, further comprising a diagnosis step of diagnosing 
the security state of the organization, wherein a result of 
diagnosis performed in the diagnosis step is submitted to the 
organization, wherewith the organization can become conscious 
of a necessity for a security policy. 

8 . The method of establishing a security policy according 
to claim 6, further comprising: 

a priority planning step of planning, in sequence of 
priority, implementation of the security measures which have 
been devised with priority, thereby embodying a budget of the 
organization . 

9 . The method of establishing a security policy according 
to claim 8, wherein the security measures comprise 

constructing a system for managing the establishing a 
security policy; 

introduction of a security system; 

training for compelling employees to respect a security 
policy; 

analysis of system logs; 
monitoring of a network; 

auditing operations on the basis of the security policy; 

and 
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reviewing the security policy. 

10 . The method of establishing a security policy according 
to claim 8, further comprising: 

a security enhancement measures implementation step of 
5 implementing the security measures in accordance with the plan. 

11. A method of establishing a security policy comprising: 

a preparation step of preparing inquiries to be suibmitted 
to members of an organization; 

an inquiry step of submitting the prepared inquiries to 
the members; 

an answer acquisition step of acquiring from the members 
answers to the inquiries; and 
T an establishment step of establishing a security policy 

"J on the basis of the answers. 

^15 12 . The method of establishing a security policy according 

i to claim 11, wherein the preparation step involves preparation 

of inquiries on the basis of job specifications of members to 

be inquired, 

13 . The method of establishing a security policy according 
20 to claim 11, wherein the answer acquisition step includes at 
least one of the steps of : 

integrating the answers acquired from a single member from 
among the acquired answers and storing the integrated answers 
into storage means as answers of a single member to be inquired; 
25 re-submitting inquiries to members if contradictory 

answers are included in the answers, to thereby resolve 
contradictions and storing the answers into the storage means; 
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and 

assigning weights to answers according to job 
specifications of the members to be inquired if contradictory 
answers are included in the answers, to thereby estimate answers 
and display the estimated answers . 

14 . The method of establishing a security policy according 
to claim 11, wherein the establishment step involves 
establishment of three levels of security policies: namely, 

an executive -level security policy which describes the 
organization's concept and policy concerning information 
security, in conformity with global guidelines; 

a corporate- level security policy which describes an 
information security system embodying the executive- level 
security policy; and 

a product -level security policy which describes measures 
to implement the executive -level security policy with reference 
to the corporate -level security policy, 

15 . The method of establishing a security policy according 
to claim 14, wherein the corporate- level security policy 
describes standards for the information security system of the 
overall organization; and standards for individual equipments 
constituting the information security system of the organization. 

16 . The method of establishing a security policy according 
to claim 14, wherein the product-level security policy includes 
two types of product-level policies; namely, 

a first- level security policy describing settings of 
individual equipment constituting the information security 
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system in natural language; and 

a second- level security policy describing settings of 
individual equipment constituting the information security 
system in specific language used in specific equipments. 

17 . The method of establishing a security policy according 
to claim 11, further comprising an analysis step of examining 
a difference between the security policy draft and realities 
of the organization; 

the analysis step further comprising at least one of 
a contradiction inspection step of inspecting 
whether or not contradictory answers are included in the answers ; 

a first difference detection step of inspecting a 
difference between the security policy and an information system 
virtually designed on the basis of the answers, by means of 
c ompa r i s on ; and 

a second difference detection step of verifying the 
virtually-designed information system by means of examination 
of a real information system and inspecting a difference between 
the verified information system and the security policy draft, 
by means of comparison. 

18 . The method of establishing a security policy according 
to claim 17, further comprising a measurement step of devising 
measures to the inspected difference, in conjunction with the 
priority of the measures . 

19. An apparatus of establishing a security policy 
comprising: 

inquiry preparation means for preparing inquiries to be 
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submitted to members of an organization; 

storage means for storing answers to the inquiries; 

answer archival storage means for acquiring from the 
members the answers to the inquiries and storing the answers 
into the storage means; and 

establishment means for establishing a security policy 
on the basis of the answers stored in the storage means. 

20. The apparatus for establishing a security policy 
according to claim 19, wherein the inquiry preparation means 
prepares inquiries to be submitted to the members to be inquired, 
on the basis of job specifications of the members to be inquired. 

21. The apparatus for establishing a security policy 
according to claim 19, wherein the answer archival storage means 

integrates the answers acquired from a single member from 
among the acquired answers and stores the integrated answers 
into the storage means as answers of a single member to be inquired ; 
or 

re-submits inquiries to members if contradictory answers 
are included in the answers, to thereby resolve contradiction, 
and stores the answers into the storage means; or 

assigns weights to answers according to job specifications 
of the members to be inquired if contradictory answers are included 
in the answers, to thereby estimate answers and display the 
estimated answers. 

22 . The apparatus for establishing a security policy 
according to claim 19, wherein the establishment means 
establishes three levels of security policies: namely. 
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an executive- level security policy which describes the 
organization's concept and policy concerning information 
security, in conformity with global guidelines; 

a corporate- level security policy which describes an 
5 information security system embodying the executive- level 
security policy; and 

a product- level security policy which describes measures 
to implement the executive -level security policy with reference 
to the corporate -level security policy. 
0 23 . The apparatus for establishing a security policy 

according to claim 22, wherein the corporate -level security 
policy describes standards for the information security system 
of the overall organization; and standards for individual 
equipments constituting the information security system of the 
5 organization . 

24 . The apparatus for establishing a security policy 
according to claim 22, wherein the product -level security policy 
includes two types of product- level policies; namely, 

a first -level security policy describing settings of 
0 individual equipments constituting the information security 
system in natural language; and 

a second- level security policy describing settings of 
individual equipments constituting the information security 
system in specific language used in specific equipments. 
5 25. A method of assessing the state of security of an 

organization, the method comprising: 

an inquiry preparation step of preparing inquiries to be 
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submitted to members of an organization; 

an inquiry step of submitting the prepared inquiries to 
the members ; 

an answer acquisition step of acquiring from the members 
answers to the inquiries; and 

a security state assessment step of assessing the state 
of security on the basis of the answers. 

26. The method of assessing the state of security of an 
organization according to claim 25, wherein the inquiry 
preparation step involves preparation of inquiries on the basis 
of job specifications of members to be inquired, 

27. The method of assessing the state of security of an 
organization according to claim 25, wherein the answer 
acquisition step involves integration of previous answers and 
acquired answers in a case where the answers are provided by 
an member to be inquired who has provided answers before, and 
involves storage of the integrated answers into storage means 
as answers from a single member to be inquired. 

28. The method of assessing the state of security of an 
organization according to claim 25, wherein the assessment of 
a security state includes 

assessment of security of the organization; 

average assessment of security of the other organizations 
included in an industry to which the organization pertains; and 

the highest security assessment which is considered to 
be attainable by organizations in the industry to which the 
organization pertains. 
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29. The method of assessing the state of security of an 
organization according to claim 25, wherein the assessment of 
a security state includes scores assigned to the following items; 
namely, 

5 understanding and attitude concerning security ; 

a security system of the organizations- 
response to unexpected accidents; 
preparation of a budget for security; and 
measures to improve security. 
;|0 30. An apparatus of assessing the state of security of 

an organization, the apparatus comprising: 
:'- preparation means of preparing inquiries to be siibmitted 

K to members of the organization; 

tV^ storage means for storing answers to the inquiries; 

lis answer archival storage means of acquiring from the members 

. J the answers to the inquiries and storing the answers into the 
storage means; and 

security maturity preparation means for preparing a 
security maturity report representing the degree of maturity 
20 of security, on the basis of the answers stored in the storage 
means . 

31. The apparatus for assessing the state of security of 
an organi zat ion according to claim 3 0 , wherein the answer archival 
storage means integrates previous answers and acquired answers 
25 in a case where the answers are provided by a member to be inquired 
who has provided answers before , and stores the integrated answers 
into the storage means as answers from a single member to be 
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inquired. 

32 . The apparatus for assessing the state of security of 
an organization according to claim 3 0, wherein the security 
maturity report includes 

the degree of maturity of the organizations security; 

the average degree of maturity of security of other 
organizations included in an industry to which the organization 
pertains ; and 

the highest degree of maturity of security which is 
considered to be attainable by organizations in the industry 
to which the organization pertains. 

33, The apparatus for assessing the state of security of 
an organization according to claim 30, wherein the security 
maturity report includes scores assigned to the following items; 
namely, 

understanding and attitude concerning security; 
a security system of the organization; 
response to unexpected accidents; 
preparation of a budget for security; and 
measures to improve security. 

34 . An analyzer for analyzing a difference between a 
security policy and an information system of an organization, 
comprising 

contradiction inspection means for inspecting whether or 
not contradiction exists between individual answers in response 
to inquiries submitted to members of the organization; and 

contradiction output means for outputting information 
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about the inspected contradiction. 

35. The analyzer for analyzing a difference between a 
security policy and an information system of an organization 
according to claim 34, further comprising: 

indicating means for indicating the contradiction on the 
basis of the information about contradiction; 

establishment means for virtually establishing an 
information system for the organization on the basis of the answers 
free of contradiction; and 

difference output means for outputt ing a di f f erence between 
the configuration of the virtually-established information 
system and a security policy, by means of comparison. 

36, The analyzer for analyzing a difference between a 
security policy and an information system of an organization 
according to claim 35, further comprising: 

real system input means for examining the information 
system of the organization and entering the configuration of 
the information system; and 

difference output means which verifies the 
virtually-established information system by reference to the 
configuration of the information system and outputs a difference 
between a security policy and the configuration of the 
virtually-established information system which has been verified, 
by means of comparison. 

3 7 . The method of establishing a security policy according 
toclaim2, wherein, inthe inquiry preparation step, the inquiries 
are generated in accordance with the line of business of the 
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organi 2 at ion . 

38 . The method of establishing a security policy according 
to claim 11, wherein, in the inquiry preparation step, the 
inquiries are generated in accordance with the line of business 
of the organization. 

39 . The security policy establishment apparatus according 
to claim 19, wherein the inquiry preparation means generates 
inquiries to be submitted to an interviewee in accordance with 
the line of business of the organization. 

40 . The method of establishing a security policy according 
to claim 2, wherein, in the drafting step, a security policy 
is established on the basis of recommendations or regulations 
aimed at a specific line of business. 

41 . The method of establishing a security policy according 
toclaimll, wherein, in the establishment step, a security policy 
is established on the basis of recommendations or regulations 
aimed at a specific line of business. 

42, The security policy establishment apparatus according 
to claim 19, wherein the establishment means establishes a 
security policy on the basis of items of recommendations or 
regulations aimed at a specific line of business. 

43 . The method of establishing a security policy according 
to claim 2, wherein, in the drafting step, a security policy 
is established on the basis of items of global guidelines of 
one or a plurality of types prescribed by a user. 

44 . The method of establishing a security policy according 
to claim 43, wherein, in the inquiry preparation step, inquiries 
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are generated on the basis of items of global guidelines of one 
or a plurality of types prescribed by a user. 

45 . The method of establishing a security policy according 
toclaimll, wherein, in the establishment step, a security policy 
is established on the basis of items of global guidelines of 
one or a plurality of types prescribed by a user. 

46 . The method of establishing a security policy according 
to claim 45, wherein, in the inquiry preparation step, inquiries 
are generated on the basis of items of global guidelines of one 
or a plurality of types prescribed by a user. 

47 . The security policy establishment apparatus according 
to claim 19, wherein the establishment means establishes a 
security policy on the basis of items of global guidelines of 
one or a plurality of types prescribed by a user. 

48 . The security policy establishment apparatus according 
to claim 47, wherein the inquiry preparation means generates 
inquiries to be submitted to interviewees, on the basis of items 
of global guidelines of one or a plurality of types prescribed 
by a user. 

4 9 . The method of establishing a security policy according 
to claim 2, wherein, in the establishment step, a security policy 
is established on the basis of an indicator of rigorousness of 
security policy prescribed by the user. 

50 . The method of establishing a security policy according 
to claim 49, wherein, in the inquiry preparation step, the 
inquiries are generated on the basis of an indicator of 
rigorousness of security policy prescribed by the user. 
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51 . The method of establishing a security policy according 
to claim 11, wherein, in the establishment step, a security policy 
is established on the basis of an indicator of rigorousness of 
security policy prescribed by the user. 

52 . The method of establishing a security policy according 
to claim 51, wherein, in the inquiry preparation step, the 
inquiries are generated on the basis of an indicator of 
rigorousness of security policy prescribed by the user. 

53 . The security policy establishment apparatus according 
to claim 19, wherein the establishment means establishes a 
security policy on the basis of an indicator of rigorousness 
of security policy prescribed by the user. 

54 . The security policy establishment apparatus according 
to claim 53 , wherein the inquiry preparation means generates 
inquiries , on the basis of an indicator of rigorousness of security 
policy prescribed by the user. 

55. A security policy rigorousness adjustment method for 
adjusting the level of rigorousness of a security policy, 
comprising: 

a rigorousness adjustment step of replacing the rules which 
have been determined not to match the indicator of rigorousness 
prescribed by a user with rules matching the indicator; and 

a merge and output step of merging the rules matching the 
indicator of rigorousness from the beginning with the rules that 
in the rigorousness adjustment step have replaced the rules not 
matching the indicator and of outputting the merged rules. 

56. A security policy rigorousness adjustment apparatus 
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for adjusting the level of rigorousness of a security policy, 
comprising: 

rigorousness adj ustment means for replacing the rules which 
have been determined not to match the indicator of rigorousness 
prescribed by a user with rules matching the indicator; and 

merge and output means for merging the rules matching the 
indicator of rigorousness from the beginning with the rules which 
in the rigorousness adjustment means have replaced the rules 
not matching the indicator and for outputting the merged rules , 

57, A method of establishing a security policy of a 
predetermined organization, comprising: 

an inquiry preparation step of generating inquiries which 
pertain to items required for establishing a security policy 
of the organization and are to be submitted to members of the 
organizat ion ; 

an inquiry step of submitting the generated inquiries to 
the members; 

an answer acquisition step of acquiring from the members 
answers to the inquiries; and 

an establishment step of establishing a security policy 
draft on the basis of the answers, wherein, in the establishment 
step, a securitypolicy within a range of establishment prescribed 
by the user is established, 

58 , The method of establishing a security policy according 
to claim 57, wherein, in the inquiry preparation step, inquiries 
pertaining to the range of establishment prescribed by the user 
are generated. 
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59. A security policy establishment apparatus for 
establishing a security policy of a predetermined organization, 
comprising: 

inquiry preparation means for generating inquiries which 
pertain to items required for establishing a security policy 
of the organization and are to be submitted to members of the 
organi zat ion ; 

storage means for storing answers to the generated 
inquiries; 

answer archival storage means for acquiring answers to 
the generated inquiries and storing the answers into the storage 
means ; and 

establishment means for establishing a security policy 
within the range of establishment prescribed by the user. 

60 . The security policy establishment apparatus according 
to claim 59, wherein the inquiry preparation means generates 
inquiries pertaining to the range of establishment prescribed 
by the user. 

61. A computer -readable recording medium having recorded 
thereon a program for causing a computer to perform: 

inquiry preparation procedures for generating inquiries 
which pertain to items required for establishing a security policy 
of the organization and are to be submitted to members of the 
organization; 

answer archival procedures for entering answers to the 
generated inquiries and storing the answers into storage means; 
and 



117 



establishment procedures for establishing a security 
policy on the basis of the answers stored in the storage means. 

62. The recording medium according to claim 61, wherein, 
in the inquiry preparation procedures, inquiries to be submitted 

5 to interviewees are generated on the basis of job specifications 
of the interviewees . 

63. The recording medium according to claim 61, wherein, 
in the answer archival procedures, the answers acquired from 
a single member from among the acquired answers are integrated, 

ifO and the integrated answers are stored into the storage means 
I: as answers of a single member to be inquired; or 

weights are assigned to answers according to job 
B specifications of the members to be inquired if contradictory 

answers are included in the answers, to thereby estimate final 
i5 answers and display the estimated final answers. 
■-\ , The recording medium according to claim 61, wherein, 

in the inquiry preparation procedures, inquiries to be submitted 

to the interviewees are generated on the basis of the line of 

business of the organization, 
20 65- The recording medium according to claim 61, wherein, 

in the establishment procedures, a security policy is established 

on the basis of items of global guidelines of one or a plurality 

of types prescribed by a user. 

66. The recording medium according to claim 61, wherein, 
25 in the inquiry preparation procedures, the inquiries are 

generated on the basis of an indicator of rigorousness of security 

policy prescribed by the user. 
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67. The recording medium according to claim 61, wherein, 
in the establishment procedures, a security policy within a range 
of establishment prescribed by the user is established. 

68 . A computer-readable recording medium having recorded 
thereon a program for causing a computer to perform: 

inquiry preparation procedures for outputting inquiries 
which pertain to items required for evaluating the degree of 
maturity of security of a predetermined organization and are 
to be submitted to members of the organization; 

answer archival procedures for entering answers to the 
outputted inquiries and storing the answers into storage means ; 
and 

security maturity preparation procedures for preparing 
a security maturity report representing the degree of maturity 
of security, on the basis of the answers stored in the storage 
means . 

69. The recording medium according to claim 68, wherein 
the inquiry preparation means generates inquiries to be submitted 
to interviewees, on the basis of job specifications of the 
interviewees . 

70, A computer- readable recording medium having recorded 
thereon a program for causing a computer to perform: 

contradiction inspection procedures for inspecting 
whether or not contradiction exists between individual answers 
submitted in response to inquiries which pertain to items required 
for ascertaining a difference between a security policy of the 
predetermined organization and an information system of the 
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organization and which have been submitted to members of a 
predetermined organization; and 

contradiction output procedures for outputting 
information about the inspected contradiction. 

71. The recording medium according to claim 70, further 
comprising: 

indicating procedures for indicating the contradictions 
on the basis of the information about contradictions- 
establishment procedures for virtually establishing the 
configuration of an information system of the organization, on 
the basis of the answers free of contradictions; and 

difference output procedures for outputting a difference 
between the configuration of the virtually-established 
information system and the security policy, obtained by means 
of comparison. 

72 . A computer- readable recording medium having recorded 
thereon a program for causing a computer to perform: 

rigorousness adjustment procedures for replacing the rules 
which have been determined not to match the indicator of 
rigorousness prescribed by a user with rules matching the 
indicator of rigorousness; and 

merge and output procedures for merging the rules matching 
the indicator of rigorousness from the beginning with the rules 
which in the rigorousness adjustment procedure have replaced 
the rules not matching the indicator and for outputting the merged 
rules . 

73. A program for causing a computer to perform: 
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inquiry preparation procedures for generating inquiries 
whichpertain to items required for establishing a security policy 
of a predetermined organization and are to be submitted to members 
of the organizations- 
answer archival procedures for entering answers to the 
generated inquiries and storing the answers into storage means; 
and 

establishment procedures for establishing a security 
policy on the basis of the answers stored in the storage means. 

74. The program according to claim 73, wherein, in the 
inquiry preparation procedures, inquiries to be submitted to 
interviewees are generated on the basis of job specifications 
of the interviewees . 

75. The program according to claim 73, wherein, in the 
answer archival procedures, the answers acquired from a single 
member from among the acquired answers are integrated, and the 
integrated answers are stored into the storage means as answers 
of a single member to be inquired; or 

weights are assigned to answers according to job 
specifications of the members to be inquired if contradictory 
answers are included in the answers, to thereby estimate final 
answers and display the estimated final answers. 

76. The program according to claim 73, wherein, in the 
inquiry preparation procedures, inquiries to be submitted to 
the interviewees are generated on the basis of the line of business 
of the organization. 

77. The program according to claim 73, wherein, in the 
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establishment procedures, a security policy is established on 
the basis of items of global guidelines of one or a plurality 
of types prescribed by a user. 

78. The recording medium according to claim 12, wherein, 
in the inquiry preparation procedures, the inquiries are 
generated on the basis of an indicator of rigorousness of security 
policy prescribed by the user. 

79. The recording medium according to claim 73, wherein, 
in the establishment procedures , a security policy within a range 
of establishment prescribed by the user is established. 

80. A program for causing a computer to perform: 
inquiry preparation procedures for outputting inquiries 

which pertain to items required for evaluating the degree of 
maturity of security of a predetermined organization and are 
to be submitted to members of the organization; 

answer archival procedures for entering answers to the 
outputted inquiries and storing the answers into storage means; 
and 

security maturity preparation procedures for preparing 
a security maturity report representing the degree of maturity 
of security, on the basis of the answers stored in the storage 
means . 

81. A program for causing a computer to perform: 
contradiction inspection procedures for inspecting 

whether or not contradiction exits between individual answers 
in response to inquiries which pertain to items required for 
ascertaining a difference between a security policy of the 
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predetermined organization and an information system of the 
organization and which have been submitted to members of a 
predetermined organization; and 

contradiction output procedures for outputting 
information about the inspected contradiction. 

82 . The program according to claim 81, further comprising: 

matching procedures for matching the answers on the basis 
of the information about contradiction, thus producing answers 
free of contradiction; 

establishment procedures for virtually establishing the 
configuration of an information system of the organization, on 
the basis of the answers produced by the matching procedure; 
and 

difference output procedures for outputting a difference 
between the configuration of the virtually-established 
information system and the security policy, obtained by means 
of comparison. 

83. A program for causing a computer to perform: 

level-of -rigorousness inspection procedures for 
inspecting whether or not individual rules of the security policy 
match an indicator of rigorousness prescribed by a user; 

rigorousness adjustment procedures for replacing the rules 
which have been determined not to match the indicator in the 
level-of -rigorousness inspection procedure with rules matching 
the indicator of rigorousness; and 

merge and output procedures for merging the rules matching 
the indicator of rigorousness from the beginning with the rules 
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which in the rigorousness adjustment procedure have replaced 
the rules not matching the indicator and for outputting the merged 
rules . 
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